From: | Sasasu <i(at)sasa(dot)su> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: XTS cipher mode for cluster file encryption |
Date: | 2021-10-18 02:35:48 |
Message-ID: | 01cc0870-5526-de25-7ab5-55247f7cfca6@sasa.su |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 2021/10/16 04:57, Tomas Vondra wrote:
>
> Seems reasonable, on the assumption the threat models are the same.
On 2021/10/16 03:22, Stephen Frost wrote:
> plain64: the initial vector is the 64-bit little-endian version of the
> sector number, padded with zeros if necessary
>
> That is, the default for LUKS is AES, XTS, with a simple IV. That
> strikes me as a pretty ringing endorsement
On 2021/10/18 05:23, Tomas Vondra wrote:
>
> AFAICS the threat model the patch aims to address is an attacker who can
> observe the data (e.g. a low-privileged OS user), but can't modify the
> files. Which seems like a reasonable model for shared environments.
I agree this threat model.
And if PostgreSQL is using XTS, there is no different with dm-encrypt.
The user can use dm-encrypt directly.
Attachment | Content-Type | Size |
---|---|---|
OpenPGP_0x4E72AF09097DAE2E.asc | application/pgp-keys | 7.9 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | houzj.fnst@fujitsu.com | 2021-10-18 02:51:43 | RE: Failed transaction statistics to measure the logical replication progress |
Previous Message | Sasasu | 2021-10-18 02:19:48 | Re: XTS cipher mode for cluster file encryption |